[Samba] pam_winbind, ssh and cross-forest membership...

[Marco Gaiarin]

Mandi! Rowland Penny via samba
  In chel di` si favelave...

> Have you set up trusts between 'SUBA.DOM.IT' and 'DOM.IT' ?

Sure!


>>       id a
> Problem is, you should be using 'id DOMAIN\\a' , where 'DOMAIN' is the
> workgroup of user 'a'.

Forgot to say: 'winbind use default domain = Yes'.


>> There's some way to force it? Thanks.
> It will undoubtedly help if you post your smb.conf file.

Oh, sorry rowland, true.

[global]
	kerberos method = secrets and keytab
	realm = DOM.IT
	security = ADS
	template shell = /bin/bash
	winbind expand groups = 5
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = DOM
	idmap config * : range = 1000 - 9999
	idmap config SUBD : backend = rid
	idmap config SUBD : range = 700000 - 749999
	idmap config SUBC : backend = rid
	idmap config SUBC : range = 500000 - 549999
	idmap config SUBB : backend = rid
	idmap config SUBB : range = 300000 - 349999
	idmap config SUBA : backend = rid
	idmap config SUBA : range = 10000 - 99999
	idmap config DOM : backend = rid
	idmap config DOM : range = 2000000-2999999
	idmap config * : backend = tdb


following 'alex' hint i've added 'winbind expand groups = 5'; in this way
effectively an 'getent group groupa' return all the membership, also in
other domain (eg, return 'SUBA\\usera') but still a simple 'id SUBA\\usera'
does not return 'groupa' (or 'DOM\\groupa') as membership.

-- 
  Mio figlio Christian diceva che la morte doveva essere qualcosa di
  bello, visto che nessuno ritornava.		(Yolande Mukagasana)